Cybersecurity researchers have uncovered a sophisticated phishing campaign that exploits browser caching mechanisms to smuggle malware onto victims' computers—completely bypassing traditional security defences that monitor file downloads.
The attack, discovered by threat intelligence expert Marcus Hutchins (known for stopping the WannaCry ransomware), represents a dangerous evolution of ClickFix social engineering tactics. Unlike conventional malware delivery methods, this technique never explicitly downloads malicious files or communicates with the internet, making it nearly invisible to standard security tools.
How the Attack Works
The campaign masquerades as a "Fortinet VPN Compliance Checker," targeting enterprise employees with remote access credentials. Victims are tricked into copying what appears to be a harmless file path into Windows Explorer. However, the clipboard actually contains a hidden PowerShell script padded with 139 spaces to conceal malicious code.
The innovation lies in what happens next. The phishing webpage loads a fake "image" file that browsers automatically cache locally. This supposed JPEG is actually a disguised ZIP archive wrapped between unique identifier strings ("bTgQcBpv" and "mX6o0lBw"). The hidden PowerShell script then searches through the browser's cache directory, extracts the malicious payload using regular expressions, and executes it—all without triggering alerts from security software monitoring network traffic or file downloads.
"This technique enables the malware to bypass many different types of security products," the researchers note. "Neither the webpage nor the PowerShell script explicitly downloads any files."
Protection Strategies
Security teams should monitor for unexpected processes accessing browser cache directories and restrict PowerShell usage to authorised personnel. Organisations can also deploy DNS filtering to block newly registered domains and implement user education programs focused on ClickFix scams.
While not yet widespread, cache smuggling has appeared in previous campaigns and represents a concerning trend as attackers develop increasingly evasive techniques to compromise corporate networks.